The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Due Diligence

  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    Navigating Data Privacy Laws in Cross-Border Investigations

    Conducting a cross-border investigation or performing global due diligence each has its own set of unique challenges, which only become more formidable when coupled with a government inquiry. In the E.U. in particular, issues range from confusing and often conflicting privacy laws, to language and cultural barriers, to custodian access and local coordination. According to more than half of those who responded to a recent BDO survey, disparate data privacy laws are the biggest challenge to managing cross-border e-discovery. In a guest article, Deena Coffman and Nina Gross, managing directors at BDO, provide insight on the data privacy landscape in the E.U. and how to comply with competing demands during a cross-border investigation. See also “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (May 25, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Essential Cyber Due Diligence Considerations in M&A Deals Raised by Yahoo Breach

    Yahoo’s 2014 massive data breach, made public only two months after Verizon announced its plans to acquire Yahoo for $4.83 billion, highlights the necessity for proper cybersecurity due diligence in advance of an acquisition, and for the acquiring company to account for an undetected breach as part of the value of the transaction. There probably needs to be “a little more cybersecurity homework done before pulling the trigger on an acquisition. We hope this situation brings that conversation to the forefront,” Milan Patel, a managing director in K2 Intelligence’s cyber defense practice, told The Cybersecurity Law Report. In this article, with insight from attorneys and technical consultants, we examine current contingencies in Verizon’s deal with Yahoo and detail steps companies should be taking to identify and mitigate cyber risk through due diligence and how to structure a deal to account for those potential risks. See “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015). 

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Managing Data Privacy Challenges While Conducting Due Diligence and Investigations in China (Part Two of Two)

    For companies doing business in China, understanding data privacy and cybersecurity legal requirements under Chinese law is critical. But once a company is familiar with these basic legal contours, more practical concerns dominate the ability to successfully conduct internal operations and external transactions. In this article, the second in a two-part series on China’s data privacy and cybersecurity laws, we share insights from practitioners working in China on how companies can manage the actual challenges of running their businesses while staying on the right side of the law. The first article in the series explained the basic structure of the data compliance regime in China, including criminal law, civil law, industry regulations and the draft Cybersecurity Law. See also Understanding the Far-Reaching Impact of Chinese State Secrets Laws on Data Flow” (Jul. 6, 2016).  

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    Vendor Cyber Risk Management: 14 Key Contract Terms (Part Two of Two)

    Actions by third-party vendors with access to a company’s data are the cause of some of the most damaging breaches. Carefully vetting and monitoring those vendors is crucial to a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program. This article, the second installment in our coverage of the panel, includes fourteen key cybersecurity provisions to include in vendor contracts and the panelists’ strategies for monitoring the vendor relationship and for effective breach response. The first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Vendor Cyber Risk Management: Nine Due Diligence Questions (Part One of Two)

    Some of the biggest cybersecurity headlines point to suppliers as the root cause of the most damaging breaches. This highlights the importance of carefully vetting and monitoring vendors as part of a strong cybersecurity program. At a recent panel at IAPP’s Global Privacy Summit, counsel from Under Armour, AOL and Unisys provided practical guidance on how to implement a comprehensive vendor management program and mitigate data security and privacy risks third-party vendors present. This first article in our series includes the panelists’ discussion of nine questions to ask vendors during the due diligence process and factors to consider before contract negotiations. The second installment in our coverage of the panel will include fourteen key cybersecurity provisions to include in vendor contracts. See also “Learning From the Target Data Breach About Effective Third-Party Risk Management”: Part One (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Cybersecurity and Information Governance Considerations in Mergers and Acquisitions

    The growing impact of cyber incidents has led to a heightened need to conduct a thorough cyber due diligence both before and after an M&A deal.  In a recent webinar, Reed Smith partners Anthony J. Diana, Courtney C.T. Horrigan, Mark S. Melodia and Richard D. Smith shared insight on how cybersecurity affects the valuation of certain assets and offered advice on how to focus due diligence to detect and assess cyber risks pre-transaction, including litigation risks that can arise from data breaches.  They also recommended specific steps for planning post-closing data integration and evaluating the adequacy of insurance coverage.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).  There has been a flurry of data breach activity over the past 10 years, and “it is only increasing in pace,” Melodia noted.  A company’s cyber risk can directly affect its value in an M&A context.  This is where “cyber risk meets the deal,” he said.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part Two of Two)

    Vendors and other third parties – necessary for most businesses – present significant cybersecurity risks and are frequently the source of breaches, from large-scale incidents to smaller data leaks.  Properly vetting these third parties is a challenging, but critical, aspect of cybersecurity programs.  This article series provides a three-step framework to appropriately allocate resources to due diligence and mitigate the risks third parties pose.  Part One provided a framework for companies to (1) categorize potential vendors based on risk levels, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium or high level of risk.  Part Two addresses when the categorization of medium-risk vendors should move to high-risk based on red flags discovered during the initial due diligence and details step three of the framework: deeper due diligence for high-risk vendors, including follow-up questioning, documentation of audits or certifications and in-person diligence. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

    Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network.  As the Target breach demonstrated, even a non-IT vendor can cause widespread damage.  Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs.  In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence.  This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk.  Part Two will address the third step of deeper due diligence for high-risk vendors.

    Read Full Article …